Their Vatican library analogy is not perfect, but it could be. Once you have made the request, the time required to process a later request drops dramatically. This is because the librarian now knows that the book exists, and that you are not allowed to see it. In this case the librarian's short-term memory plays the part of the cache.

Trying to use this at the real Vatican would raise suspicions about the reason for so many requests, but computer hardware has no such suspicions. If you can get one bit of information from one request, nothing stops you from playing 20 questions to get more detailed information. Because the memory protection operations take place after data has been fetched for speculative execution you can choose any instruction you like to execute on data you should not be allowed to see. Doing this billions of times a second can suck up all kinds of data.

The BIOS/UEFI updates are another problem to deal with. What is going on here is motherboard firmware loading new microcode into a writable microcode store used for patching bugs in the hardware. In my experience Intel security about how their microcode works is tighter than government security about major weapons systems. If this has been compromised it is quite possible attackers would use this opportunity to install their own backdoors into computers at a level that would be hard to avoid. A more subtle attack would be to provide bogus updates that do nothing, leaving the machine vulnerable to known attacks.

The major suppliers are providing updates to their BIOS/UEFI code for machines made in the last 5 years. Older machines will remain at risk, and the natural recommendation is to replace all such. This is the way companies can turn a profit from a major blunder. Read licensing and terms of service to see how little legal liability they have.

It is a safe bet that these measures will not be applied to large numbers of systems, leaving attackers the opportunity to find weakest links into organizations. Even if every machine in an organization is protected, it is a safe bet that some employees will have machines at home that are not protected. We can also expect to discover people storing their passwords for secure systems on insecure smart phones.

This will play out over a period of years.

How did we get in this mess?

The answer is that software architects were assuming that hardware protection would isolate processes running untrusted code from the most trusted kernel processes. This meant they did not have to worry about what code might be doing in those processes or containers. Knowing this is not true means you have to worry about every kind of code that might be downloaded, uploaded or compiled in an untrusted process. That covers a lot of territory.

(Many years ago, I showed someone how his neat trick with Word macros could be used to execute arbitrary code via a script. I had sat on this knowledge for about a year to allow a fix. M$ Office greatly expands the possibilities. At the time I first thought of this M$ Office did not exist, and that is really prehistoric.)

The vulnerability also applies to things run in virtual machines, and that means one hell of a lot of the Internet.

Ask Leo (Leo Notenboom) provides a very good understandable analogy on this page: What Do I Need to Do About Spectre and Meltdown
:
Don't give up before you get to: OK, but, what are these two things?_________________B.K. Johnson
tahrpup-6.0.5 PAE (upgraded from 6.0 =>6.0.2=>6.0.3=>6.0.5 via quickpet/PPM=Not installed); slacko-5.7 occasionally. Frugal install, pupsave file, multi OS flashdrive, FAT32 , SYSLINUX boot, CPU-Dual E2140, 4GB RAM

AMD has been vulnerable to some forms of Spectre from day one, so that is not news. AMD used a different implementation than Intel for the memory protection and caching exploited in Meltdown. This means that Intel exploits will not necessarily work on AMD chips, but it does not say there will not be AMD specific Meltdown exploits. There probably will be.

One interesting tidbit about these vulnerabilities is that they were discovered independently by four different individuals or groups. None of these, with the exception of Google, were what I would call the powerhouses of the microcomputer world. None of the security companies involved appear to be closely associated with national intelligence agencies like NSA, CIA, GCHQ, FSB or GRU. (It is easy to name some that are close.)

Google's Project Zero has previously caused intelligence agencies problems by disclosing vulnerabilities they were able to use. My inference from this is that neither the intelligence agencies nor the major suppliers of chips and software were interested in finding this. That makes me wonder if they already knew. Since these exploits do not leave malware code in the system or evidence in kernel logs it would be pure gold for an intelligence agency that wanted to exploit it without being detected.

We have new evidence that supporting W7 was not really high on Microsoft's list of priorities. I'm having trouble tallying the number of problems introduced versus those eliminated.

My own take is that all these companies have managed to complicate matters to such an extent they cannot support any system that has been used long enough to be considered reliable and secure. Efforts to vacuum up as much information about user activities as possible have continued to advance. People stunned by revelations about information acquired via Facebook or Google, then sold and reused for purposes those users would never have agreed to, have simply not been paying attention. If you are using a service you aren't paying for, it should be axiomatic that you are the product they are selling.

This is not simply a rant about M$. I have an Android tablet that is unlikely to ever be updated from Android 4.4, and a 4th generation iPad which is only fairly secure running iOS 10.3.3.

New devices are mainly considered secure because they have not been tested as extensively, and thus show fewer known vulnerabilities. Some of those discovered have been hard to imagine. Mac OS High Sierra 10.13.1 was rolled out with a lapse that allowed administrator login with no password.

At least the chips are things you can hold in your hand, and can be demonstrated to actually do something. Massive software is much harder to categorize in terms of how it behaves, thinking of it as a black box. When a new version comes out, how do you know if it addresses your problems better, or introduces new problems that benefit those selling?

There is a considerable business of selling things that are even less tangible. Consider this movie about massive fraud currently happening in U.S. stock markets. Pay attention to how major auditing firms like Price-Waterhouse have dramatically failed to uncover this because they only checked the paperwork. (To be even-handed, I remind people that Ernst & Young totally failed to warn investors about the looming collapse of Lehman Brothers in 2008. They remain in business today, unlike Arthur Anderson, which lost credibility by failing to detect massive fraud by Enron in 2001. Quis custodiet ipsos custodes?)

Just how far can criminals get before various institutional checks prevent them from going further? Consider Operation Odessa. They may not even be the biggest crooks out there, though they certainly are colorful.

That Chinese fraud had inadvertantly popped-up its head in at least two ways that I'm aware of.

The first was reported by 60-Minutes 3-4 years ago about the huge condo-cities that have owners, yet are empty. Even the huge parking facilities.

The second was the Macau rob you blind gaming. No one cared how much was won or lost, but rather, who was losing, and how many employees/pertners/friends of the subject were involved. A case of Gang-economics and laundering.

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot vote in polls in this forumYou cannot attach files in this forumYou can download files in this forum